How could I disable Jcop CardManager?
My own applet with AID 010203040506070809 has been downloaded
to the JCOP card. And it can be selected.
Now my own applet is the current selected applet on the card, but
if APDU 00 A4 04 00 00 is sent, the response I got is the FCI of cardmanager but not 0x6700 accroding to my own applet process logic.
It seems this select APDU do not come into my applet's process method.
What happened, why cardmanager FCI is returned?
Is this a Jcop feature? Can i disable this feature and pass the
APDU -- 00 A4 04 00 00 to my own applet process method?
Expecting your answer, thanks in advance :)
[643 byte] By [
speclifea] at [2007-11-26 17:43:23]
# 1
I have come across the same problem too.TTWhen i send my own SELECT APDU,such as 00 a4 04 00 00,it always goes into the Card Manager's logic...
# 2
This is not a JCOP feature it is JavaCard. When receiving a SELECT, JavaCard will DESELECT the currently selected Applet and then Select the one specified . Check the Runtime Environment Specification Java Card?Platform, Version 2.2.1 section 3.2
# 3
SELECT command is specified in GP2.1.1 (don't mix it with the JC select() method). So if you check GP, 9.9 SELECT Command, 9.9.2.3 Data Field Sent in the Command Message: The data field of the command shall contain the AID of the Application to be selected. The Lc and data field of the SELECT command may be omitted if the Issuer Security Domain is being selected. ...
So if you omit the AID, then the OPEN (GlobalPlatform Environment) selects the ISD.
Reference:
http://www.globalplatform.org/specificationview.asp?id=archived --> Card Specification 2.1.1
# 4
Thanks a lot for your reply..
According to GP spec,apdu=00 a4 04 00 00 will select the ISD,that's right
But I don't expect this,i need all SELECT APDUs go into my own applet Process method.
I believe there exists some way can disable the ISD's SELECT privilege..can anyone help?thx
# 5
All but SELECT and MANAGE CHANNEL commands go to the selected Application. This two commands have to be handled first by the CardManager.
You are right, there is a way to circumvent the CardManager SELECT first-level evaluation: Don't use SELECT [by name] (P1=04) but e.g. SELECT [by file] (P1=02). This SELECT should be passed to the Applet 00 A4 02 00 00
# 6
Thx for lexdabear's help!but i need to circumvent the CardManager SELECT first-level evaluation with '00 A4 04 00 00',besides,could give me your mail address or MSN to me?THx very much!T
# 7
If you have a JCOP card, you could disable the CardManager by sending 10 times INITIALIZE UPDATE without EXTERNAL AUTHENTICATE (additional security mechanism). But before you do this, make sure
- Applet is installed default selected (INSTALL [for install and make selectable] Application privelege, bit 3 set (e.g. 04)). With JCOP Tools you can set it: Run ... --> Package Upload --> select Applet --> Edit --> check in 'Application Privileges': 'Default Selected'
- You are REALLY sure you won't need any content / security / life cycle management in the future
# 8
I have INSTALL my own applet as DEFAULT SELECT,and I want to circumvent the CardManager SELECT first-level evaluation with all apdu,but unfortunately, my way is not useful...
00 A4 04 00 00 is alway selecting the ISD.
I have followed your method to sending 10 times INITIALIZE UPDATE without EXTERNAL AUTHENTICATE and my applet PRIVILEGE is DEFAULT SELECT
But then I send '00a4040000',the FCI of ISD is returned.><
Can other ways may be useful?Thx for your help!
# 9
You are right. On SELECT without data field the ISD still answers with FCI. All other services are not working though (INIT-UPD, EXT-AUTH, INSTALL ...).
So I do not see any possibility to circumvent the CM when sending SELECT without data field. You need a pure Java Card, without GP functionality.
Why can't you send a SELECT <Applet AID> ?
# 10
Because I am passing a standard test,the test needs all apdu go through my own logic...I think you are right,what I need is a pure JavaCard.
My card is PHILIPS' Jcop v2.2,compliant with GP2.1.1 and Javacard api 2.2.1,do you know any ways to make it not comply with GP?
Message was edited by:
meexinxin
# 11
There is no way to set JCOP V2.2 to be not GP2.1.1 compliant. If you have a big business case you could try to contact the product manager at IBM or NXP for a JCOP version that is only Java Card 2.2.1 compliant.
